This information is available in a webcast that originally aired on September 16, 2021. If you want additional information, watch the full webcast here. Also, please read the Citizen Labs blog posts linked at the end.
What You Need to Know
It was recently discovered that there was a dangerous zero-click zero-day exploit on all iPhone iOS versions prior to 14.8; macOS versions prior to OSX Big Sur 11.6; Security Update 2021-005 Catalina; and Apple Watches prior to watchOS version 7.6.2.
Zero-click means zero user interaction is required; simply by an attacker sending a message to a target’s mobile device, the device becomes compromised. Zero-day means an exploit was found without a patch available; it is no longer truly zero-day as a patch has been released. The net result? Patch now! The patch covers two CVEs: CVE-2021-30860 and CVE-2021-30858 to update iOS, macOS, and watchOS against the exploit.
This zero-day exploit code has been dubbed FORCEDENTRY by Citizen Labs, who disclosed it to Apple. Citizen labs discovered it on a phone provided to them in March 2021. Their assessment is that it was probably first released around February 2021 and has been active since then. They assess the origin of this particular attack to NSO, at least in part because the Pegasus software was discovered on the affected iPhone.
The CVE-2021-30860 vulnerability is an integer overflow flaw in the CoreGraphics library. It was used in a zero-click iMessage delivery and is the start of an exploit chain. The CVE-2021-30858 patch is for the same problem but in WebKit. The rest of the exploit chain has not been disclosed yet, likely to increase the complexity for other threat actors attempting to reverse engineer and patch diff in order to determine how this particular exploit chain was constructed.
What You Need to Do (Action Items)
The flaw in the CoreGraphics library is found across all of the operating systems that Apple is maintaining. Implement a Patch Now approach on iOS, macOS, and watchOS.
Citizen labs assesses that the technique has been used since February 2021, and their blog post has specific hostname and IP-based IOCs related to what they assess to be Pegasus infrastructure. If you can’t get access to the phone to make a backup, but have network information, you could look for communications to the specific IOCs identified in the blog posts. Keep in mind, those IOCs might have changed, and they might not be the only IP addresses and domain names in use.
If you do have a phone, you can make a backup to look for detailed material present on the phone. This particular Twitter thread talks about how you would look for the specific gif files in a database in order to identify if there were files with the .gif extension that were sent in. Further look at sent .gif extension files to determine if they are actually .PSD (photoshop) or .PDF (portable document format) type. This file extension to type mismatch is an indicator of this specific attack.
Sources:
- Citizen Labs 2021-09-13 blog post: https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/
- Citizen Labs 2021-08-24 blog post: https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/
- Apple Security Update 2021-09-13: https://support.apple.com/en-ca/HT212807
- Costin Raiu: https://threadreaderapp.com/thread/1437673736749162496.html
